From: Mark Silverman [MarkS@bocada.com]
Sent: Thursday, October 17, 2002 7:53 PM
To: 'regs.comments@federalreserve.gov'; 'regs.comments@occ.treas.gov';
'rule-comments@sec.gov'
Cc: Mark Silverman; Kim Chen
Subject: File No. S7-32-02 (Release No. 34-46432)
Subject: Comments on (Release # 34-46432; File # S7-32-02) Draft
Interagency White Paper on Sound Practices to Strengthen the Resilience
of the US Financial System (the "White Paper")
To Whom It May Concern,
In reviewing the White Paper as requested, we applaud the proposed
policies as an absolute necessity. We encourage you to add to your
current proposals in Article II, Section B.4., a recommendation for
the adoption of an independent audit and reporting solution to ensure
system reliability and compliance with established policies. The
recommendation also applies to the corresponding summary sections
relating to the implementation of systems that meet the reliability
and performance criteria specified in the White Paper.
Reasons for the Recommendation
1. Data Protection Systems Fail
Data backups are the last line of defense against data loss, and often
the backbone of any business continuity plan. Yet according to leading
market research firms, an estimated 40% to 60% of backups fail. [1] If
data is not backed up correctly, it cannot be recovered.
2. No Visibility into Data Protection Operations
Perhaps more disconcerting than the frequency of failures, is the fact
that few IT professionals know whether their backups are successful, or
whether they are backing up everything they should (until they try to
recover their data, which is of course to late). In a recent poll by a
leading enterprise storage magazine, 36% of all IT professionals polled
said that not knowing whether they were adequately backing up their data
was their biggest problem.[2]
3. The Cause
The principal cause of backup reliability issues is the enormous complexity
and volatility of the IT environment, not the quality of the underlying
backup and recovery products. The typical enterprise backs up numerous
applications, blocks and files residing in a mixture of Windows, Unix and
Linux network operating systems, across heterogeneous networks to multiple
tape devices using backup management software from multiple vendors. The
result is a complex, volatile network of heterogeneous backup and storage
technologies that can quickly degrade without proactive day-to-day management.
4. Ensuring Integrity with Continuous Evaluation
With regards to the second paragraph on page 12, policies and specific
operational and recovery objectives as outlined are critical to the integrity
and continued operations of our financial infrastructure (as well as many other
critical businesses such as telecommunications, transportation, healthcare,
etc.). Unfortunately, articulated policies and objectives are rarely sufficient.
It is also necessary to continuously evaluate actual performance against
policies and objectives as indicated in #4 on page 7 and also in the second
paragraph in section C on page 13.
Recommendation
We recommend the addition of a requirement to implement a solution that
maintains auditable track records of data protection activity in order to
enable those responsible for system maintenance to ensure the protection of
critical data and systems, and validate compliance with policies. Specific
items/activities should be identified for full clarification and understanding.
Please feel free to contact me with any questions or to obtain further
information about the issues raised or the requirements for the solution
proposed. We would be happy to collaborate in any way.
Sincerely,
Mark Silverman
CEO
BOCADATM
marks@bocada.com
425.985.5885
The Storage Intelligence CompanyTM
--------------------------------------------------------------------------------
[1] The Enterprise Storage Group and Enterprise Management Associates
[2] InfoStor, "IT's dirty little secret: Users raise concerns about backup
and recovery." August 2002.